If You Haven’t Applied Yesterday’s Patch Tuesday Updates… Now Would Be A Good Time

Posted in Commentary with tags on March 15, 2023 by itnerd

I say that because Microsoft used Patch Tuesday to correct a zero-day bug in the Windows SmartScreen anti-malware web service that was allowing hackers to deliver malware without users noticing. Tracked as CVE-2023-24880, this vulnerability allowed the hackers to prevent security alerts from popping up and warning users when opening malicious files from the Internet.

The exploit was discovered by Google’s Threat Analysis Group (TAG) and reported to Microsoft on February 15. The exploit uses malicious MSI files that were signed with a specially crafted Authenticode signature that would cause SmartScreen to fail and not alert the user. TAG points out that the real issue here is that Microsoft had “narrowly” patched a similar vulnerability, CVE-2022-44698, back in December, but as they pointed in out in their blog post this week:

“This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants,”

“When patching a security issue, there is tension between a localized, reliable fix and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.

Morten Gammelgaard, EMEA, co-founder, BullWall had this to say:

   “The fact is, malicious actors will always find a way to get into your network. Microsoft had patched this vulnerability last December only to see the threat actors change direction and find a new way in. There is no final fix for network security. As we saw in a recent LA Housing Authority ransomware attack,  the LockBit group was in that network for an entire year before they took action and encrypted the network. 

   “Even Elon Musk had his spaceship designs stolen and held for ransom recently. And if you think no one will notice your small business, they will probably notice your suppliers and either shut down your supply chain or move laterally into your network itself.”

If you’re wondering where the Elon Musk reference comes from, this will help you to get up to speed on that. But in any case, given that this is a significant vulnerability that you need to get about patching ASAP.

Leave a comment »

Salesforce Web3 Announced By Salesforce

Posted in Commentary with tags on March 15, 2023 by itnerd

Salesforce has announced Salesforce Web3 to help companies create, manage, and deploy non-fungible tokens (NFTs) in a sustainable and trusted way. Salesforce Web3 enables brands to create connected customer experiences across Web2 and Web3, and scale efficiently with a unified platform.

Salesforce survey data finds nearly half (45%) of consumers would be more interested in purchasing an NFT if it came from their favorite brand and NFT Management and Web3 Connect innovations deliver a seamless experience creating NFTs easily and securely.

  • NFT Management helps retailers build brand love with digital collections. With NFT Management, brands are able to:
    • Create NFT Collections with Clicks, Not Code: In just a few clicks, customize and deploy secure, audited smart contracts they fully own and control in perpetuity.
    • Deliver Trusted Experiences: Keep their data secure with configurable privacy controls and proactive fraud detection.
  • Web3 Connect unifies customer data from Web3 across the Customer 360. By using Web3 Connect, companies can:
    • Enrich customer profiles with Web3 data: Unify Web2 and Web3 identities in their CRM with Web3 wallet IDs, NFT transaction history, and wallet risk scores
    • Create personalized, omnichannel experiences: Delight customers with a seamless experience across Web2 and Web3 channels, powered by their Customer 360 platform.
  • Salesforce customers Crown Royal, Mattel and Scotch & Soda agree after successfully creating and securely deploying NFT Collections during the pilot program that supported nearly 275,000 transactions between them.

See the newsroom post HERE for more details on these Web3 product innovations.

Leave a comment »

Jscrambler Takes Gold for Client-Side Security in Cybersecurity Excellence Awards 

Posted in Commentary with tags on March 15, 2023 by itnerd

Jscrambler today announced it received Gold Place in Client-Side Security in the Cybersecurity Excellence Awards.  

Jscrambler’s Webpage Integrity (WPI) offers a large set of functionalities aimed at protecting customers against sensitive data leaks and unwanted changes which may harm their company’s reputation and business. This is especially important as more commerce is conducted online than ever before. Two global e-commerce brands that rely on Jscrambler to protect their payment pages saw significant activity during Q4 2022. Webpage Integrity monitored a combined 40.3 million user sessions and blocked over 60.2 million data access attempts by third-party vendors. The continuous monitoring and proactive blocking of JavaScript running in the browser prevent these vendors from potentially accessing sensitive credit card data.   

WPI allows organizations to understand all the scripts that are being loaded onto each of their websites, as well as the potential risk associated. WPI provides rich information and insights to assist in mitigating any potential threats. Considering that vulnerabilities in third-party software account for 13% of all data breaches’ initial attack vectors with an average cost of $4.55M per data breach, it is fundamental for companies to have total visibility and control on their websites. 

Jscrambler  is a leading authority in client-side security software. Its solution defends enterprises from revenue and reputational harm caused by accidental or intentional JavaScript misbehavior. Jscrambler makes first-party code that is resilient to tampering and prevents interference with third-party code. The solution works continuously, keeping organizations protected regardless of how frequently things change. From code to runtime, Jscrambler has companies covered with a level of visibility and control that supports business innovation. Jscrambler’s customers include the FORTUNE 500, retailers, airlines, banks and other enterprises whose success depends on safely engaging with their customers online. Jscrambler keeps these interactions secure so they can continue to innovate without fear of damaging their revenue source, reputation, or regulatory compliance.

Find out more at: https://jscrambler.com/  

Leave a comment »

Has Amazon’s Ring Been Hacked? Ransomware Gang Posts Threat To Leak Data

Posted in Commentary with tags on March 15, 2023 by itnerd

The ALPHV ransomware group has claimed responsibility for an attack on Amazon’s security camera company, Ring, and is threatening to leak their data. This came to light because of this Tweet:

ALPHV is known for using the BlackCat malware in their attacks. The ALPHV group operates a ransomware-as-a-service platform. The group also has a searchable database of its victims who deny paying the ransom on the site.

The fact that someone might have pwned Amazon is plausible. Last December Brian Krebs carried a story on two US teens that were busted for taking control of RING camera’s and then Swatting the home owners and recording the police raid. The RING system is just one more IoT device that is attractive, and apparently vulnerable, to malicious hackers.

David Maynor, Senior Director of Threat Intelligence, Cybrary had this comment:

   “The exploitation of IOT devices that consumers rely on continues to march towards every dystopian movie plot. Attackers have moved from ransoming devices to ransoming companies. These attacks continue to have an increasing impact on the daily life of users.”

We’ll know soon enough if this threat to leak data is real or not. If it is real, I assure you, any company who plays in this space will be freaking out. And so will their customers.

Leave a comment »

Killnet Group Attempting to Form a Private Military Hacking Company

Posted in Commentary with tags on March 15, 2023 by itnerd

On March 13, Killmilk, the leader of the Russian hacktivist DDoS collective Killnet, announced on Telegram the establishment of “Black Skills,” a Private Military Hacking Company. 

The name “Private Military Hacking Company” is a clear riff on the growing presence and cult of private military companies in Russia (primarily the Wagner Group). It is also likely a not-so-subtle invitation to the Russian government to use Killnet’s resources as a cyber mercenary group, although it’s also unlikely they will deeply vet their clientele. 

This blog post from Flashpoint’s analysis team has a lot more detail on this: https://flashpoint.io/blog/killnet-killmilk-private-military-hacking-company/

Leave a comment »

NodeZero Analytics exposes attack paths & exploitability priorities, integrates with defensive tools

Posted in Commentary with tags on March 15, 2023 by itnerd

Horizon3.ai, leaders in autonomous penetration testing, have launched a major product refresh, doubling down on its commitment to help organizations continuously verify their security posture, including NodeZero Analytics, bringing “train like you fight” readiness and principles to security teams and MSSPs. 

NodeZero Analytics yields deeper insights, and answers the top questions every CISO and security team ask: “What’s exposed?” “What needs to be fixed first?” and “How will we do more with less?”

Foundational to Horizon3.ai’s philosophy is to use offense to inform defense, a derivative of the military principle to “train like you fight” in order to be prepared for a real cyber attack. NodeZero, Horizon3.ai’s continuous penetration testing platform, enables organizations to test their infrastructure at scale by chaining together harvested credentials, misconfigurations, dangerous product defaults, and exploitable vulnerabilities to achieve critical impacts like domain compromise and sensitive data exposure. 

The updated user experience puts powerful new insights into security teams’ hands to make autonomous pentesting a force multiplier. At the heart of the refresh are detailed attack paths with proof of exploitation, prioritized fix actions, and 1-click verification that the remediation was successful.

Leading by example: During a recent autonomous pentest of a large enterprise, NodeZero successfully elevated privileges to become a domain administrator while also compromising the organization’s business email system. The autonomous attack took 30 minutes to execute, with no humans involved, and chained together a variety of techniques including:  

  1. User enumeration combined with password spraying to compromise a domain user
  2. Dumping the SAM database by exploiting local admin privileges assigned to the domain user
  3. Reusing local admin credentials across multiple machines 
  4. Discovering a domain administrator credential by dumping credentials in LSA on a neighboring machine 
  5. Pivoting from domain admin to the Microsoft Azure Active Directory infrastructure (AzureAD)
  6. Gaining access to the domain administrator’s email, which did not have multi-factor authentication (MFA) enabled 

“The sequence of events in this attack path are typical of APT’s and ransomware organizations,” said Naveen Sunkavally, chief architect at Horizon3.ai. “What’s incredible is that this attack path isn’t hard coded as a runbook or predefined scripts anywhere in the product. Our machine learning techniques were able to figure out how to combine these different steps into an exploitable attack sequence safely in a production environment.” 

KEY FEATURES OF NodeZero: 

  1. Attack paths that clearly explain the exact sequence of events that lead to a critical impact, with proof of exploitation and detailed descriptions for exactly what to fix. 
  2. Leverage scoring that helps organizations prioritize and fix actions based on risk to the organization as well as return on effort. For example, leverage scoring can help an IT admin determine that fixing a single issue will eliminate 70% of all exploitable attack paths discovered in the pentest.
  3. Automatically generating compliance reports required for SOC2, HIPAA, GDPR, and other common compliance requirements.
  4. Surfacing systemic issues and policy recommendations to help organizations identify the true root cause for their exploitable attack surface. For example, poor credential policies can lead to systemically weak passwords that can be easily cracked by attackers. Compare Pentest Feature helps teams easily complete the Find-Fix-Verify Cycle by confirming that weaknesses and vulnerabilities identified in previous tests have been fixed.
  5. Self-service user experience that makes pentesting conveniently accessible to all types of users, from early career IT professionals to 20-year pentesting experts.
  6. Features specifically valuable for MSSP’s and MSP’s, including white labeled reporting, multi-client management, and auto-generating statements of work for remediation services. 

Leave a comment »

More Canadian Cities Along With The Province Of Ontario Ban TikTok

Posted in Commentary with tags on March 15, 2023 by itnerd

The list of Canadian Cities is growing. Hot off the heels of this, and this ban by four provinces, TikTok has new bans deal with.  The Toronto Star says that the following cities have banned TikTok:

In a statement to the Star Monday, the City of Vaughan said that, “effective immediately,” TikTok is no longer allowed to be installed or used on city workers’ corporate devices.

Meanwhile, Kitchener Mayor Berry Vrbanovic took to Twitter on Monday morning to announce the app is being removed from all its corporate smartphones, out of an “abundance of caution.”

Oh yeah and this also happened:

On March 9, the province of Ontario announced a TikTok ban on all provincial government-issued devices — the last province to do so, after all other provinces and territories followed the federal example of barring the app from corporate devices. 

So if you’re TikTok, you have to wonder what is next. The momentum against TikTok is growing and it’s only a matter of time before everyone, everywhere bans TikTok. And you have to wonder what the Chinese Communist Party will do as a result of these bans.

Buckle up.

Leave a comment »

Investment Fraud is Now Top Cybercrime Earner: Internet Crime Report

Posted in Commentary with tags on March 14, 2023 by itnerd

According to the 2022 Internet Crime Report compiled by the IC3, at $3.3 billion, Investment Fraud is now the top-earning cybercrime category, surpassing business email compromises in 2022, according to the FBI. Furthermore, the Bureau said the increase was mainly a result of criminals spoofing legitimate business phone numbers to confirm fraudulent banking details with their victims.

Global consumers and businesses filed throughout 2022:

•    $10.3bn total cybercrime losses (up 49% yoy)
•    801,000 complaints (down 46,000 yoy)
•    $3.31bn total Investment fraud (up 127% yoy)
•    $806.6m total Tech support fraud (up 132% yoy)
•    $2.7bn total BEC fraud (up 14% yoy)
•    300,000 phishing complaints (down 7% yoy but still the most popular form)

The report also noted that while 2,385 complaints about ransomware were reported last year, estimating losses at $34.4m, the loss figures do not represent the full scale of the financial burden placed on organizations. Also, many ransomware breaches go unreported and loss estimates do not include lost business, time, wages, files, equipment or third-party remediation services used by victims.

Monti Knode, Director of Customer Success, Horizon3.ai had this to say:  

   “The SVB collapse is a perfect storm for both Investment fraud and BEC — the top two losses categories from the IC3.

   “Right now, thousands of tech companies are moving their money, but even more fragile is the fact that they are messaging with their customers and reestablishing invoicing and payments. This is creating confusion and opens up opportunity for attackers to pose and prey on unwitting customers.

   “Tech companies caught up in the SVB collapse will need to be extremely diligent and get personal with their customer base to maintain trust during this tough time, or a customer may quickly attribute the moniker of “threat” to their vendor, and that’s nowhere anyone wants to be.”

This dovetails into a story that I put up yesterday saying that I expect attacks that are leveraging the failure of SVB. Given the numbers in this report, we could start seeing those attacks at any time. Never mind all the usual cybercrime that we see now. And that’s going to cost us all a lot of money.

Leave a comment »

New Fortinet FortiOS bug used to attack government networks

Posted in Commentary with tags on March 14, 2023 by itnerd

Sophisticated attackers are using a recent CVE vulnerability patched by FortiOS earlier this month to target government and large organizations. The patch for CVE-2022-41328 was released by Fortinet on March 7th for what FortiOS called a high-severity security vulnerability (CVE-2022-41328) that allows attackers to execute unauthorized code or commands.

In a report last week Fortinet revealed that a hack on one of its customers caused all of their FortiGate devices to begin shutting down at the same time, with “System enters error-mode due to FIPS error: Firmware Integrity self-test failed” messages and they failed to boot again. The FIPS-enabled devices verify the integrity of system components and if an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network.

The FortiGate firewalls were breached via a FortiManager device on the victim’s network and appeared to have been hacked using the same tactics. The investigation showed that the attackers modified the device firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.

“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” the company said.

The attackers have also demonstrated “advanced capabilities,” including reverse-engineering parts of the FortiGate devices’ operating system.

“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.”

Horizon3.ai Exploit Developer James Horseman had this to say:

   “The level of sophistication demonstrated in this attack indicates that the attackers have a deep understanding of FortiOS, which suggests that they have considerable resources and expertise at their disposal. This is likely a targeted attack, as indicated by Fortinet’s statement that there are “hints of preferred governmental or government-related targets.”

   “It is worth noting that the writeup from Fortinet does not provide information on how the attackers gained initial access, which is a crucial part of understanding the full scope of the attack. While CVE-2022-41328 allows for the execution of unauthorized code or commands, it requires privileged access. This suggests that the attackers either obtained credentials for the FortiGate/FortiManager devices or used another exploit to gain remote code execution. It is also possible that the attackers used an undisclosed 0-day to gain initial access.

   “Given the severity of the vulnerability and the potential for the attackers to have gained privileged access to the targeted systems, organizations that use FortiOS should take immediate steps to patch the vulnerability and monitor their systems for any suspicious activity. Additionally, it is important to stay informed about any new developments in this attack to understand its full impact and how the attackers were able to again initial access.”
 

David Maynor, Senior Director of Threat Intelligence, Cybrary follows up with this comment:

   “Fortinet has turned into the Ground Hog Day of vulnerabilities.”

What he’s referencing is that this isn’t the first go round with vulnerabilities related to Fortinet products:

In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.

Thus I suspect that enterprises that own Fortinet gear may be thinking twice about having it on their networks.

Leave a comment »

This Month’s Patch Tuesday Drop Has A Ton Of Fixes That Should Make You Patch Everything Immediately

Posted in Commentary with tags on March 14, 2023 by itnerd

As I type this I am installing this month’s Patch Tuesday updates on all of my hardware and VMs that run Microsoft software. And according to Bleeping Computer, it’s a good thing that I am:

Today is Microsoft’s March 2023 Patch Tuesday, and security updates fix two actively exploited zero-day vulnerabilities and a total of 83 flaws.

Nine vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, denial of service, or elevation of privileges attacks.

The number of bugs in each vulnerability category is listed below:

  • 21 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 27 Remote Code Execution Vulnerabilities
  • 15 Information Disclosure Vulnerabilities
  • 4 Denial of Service Vulnerabilities
  • 10 Spoofing Vulnerabilities
  • 1 Edge – Chromium Vulnerability

This count does not include twenty-one Microsoft Edge vulnerabilities fixed yesterday.

Gal Sadeh, Head of Data and Security Research, Silverfort has this view of some of the vulnerabilities fixed in this dump:


     “A critical RCE vulnerability in Remote Procedure Call Runtime, CVE-2023-21708, should be a priority for security teams as it allows unauthenticated attackers to run remote commands on a target machine. Threat actors could use this to attack Domain Controllers, which are open by default. To mitigate this, we recommend Domain Controllers only allow RPC from authorized networks and RPC traffic to unnecessary endpoints and servers is limited.

Being exploited in the wild, a vulnerability in Windows Defender SmartScreen (CVE-2023-24880) allows attackers to subvert in-built Windows protections blocking untrustworthy files.  The usual checks on reputation and source of files are bypassed, allowing malicious programs to run. This new threat is similar to another actively exploited SmartScreen vulnerability, patched by Microsoft in December 2022.

Another critical vulnerability, CVE-2023-23415, poses a serious risk as it allows attackers to exploit a flaw in Internet Control Message Protocol – which is often not restricted by firewalls – to gain remote code execution on exposed servers using a malicious packet. Requiring the targeting of a raw socket – any organization using such infrastructure should either patch or block ICMP packets at the firewall.”

Clearly it’s time to patch all the things. While the zero days are the most concerning, there are clearly other things here that you need to worry about.

Leave a comment »

« Older Entries
Newer Entries »